Showing posts with label http. Show all posts
Showing posts with label http. Show all posts

Thursday, March 21, 2013

Fingerprinting Web Servers

Fingerprinting web servers is a technique for finding more information about the server for further testing. When I say fingerprinting, it's basically just identifying the server based around the information it gives you, allowing you to know what kind of software it is running.

Identifying Versions

With simple requests to the server we can find out what software it is using. GET or POST requests will do. Requesting objects (files) that are not there or making requests for options that the server does (and does not) support are good places to start.

The pink color are the requests made after I connected.

1:  aichi@home# nc 127.0.0.1 81  
2:  head / http/1.0  
3:  HTTP/1.1 501 Method Not Implemented  
4:  Date: Fri, 22 Mar 2013 04:13:18 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Allow: GET,HEAD,POST,OPTIONS,TRACE  
7:  Content-Length: 206  
8:  Connection: close  
9:  Content-Type: text/html; charset=iso-8859-1  
10:  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">  
11:  <html><head>  
12:  <title>501 Method Not Implemented</title>  
13:  </head><body>  
14:  <h1>Method Not Implemented</h1>  
15:  <p>head to / not supported.<br />  
16:  </p>  
17:  </body></html>  

The above is an output of the netcat command and a GET request to a local server here. HTTP requests are case sensitive. The server tried to process the option head and found that there was none. However it does show us all the options it allows: GET, HEAD, POST, OPTIONS and TRACE. We now also know the software the server is running, Apache, and it's version, 2.2.1.7. The operating system and even some of the other software is also listed (PHP, ModSSL and OenSSL).

1:  aichi@home# nc 127.0.0.1 81  
2:  HEAD / AICHI/6.6.6  
3:  HTTP/1.1 200 OK  
4:  Date: Fri, 22 Mar 2013 04:19:29 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Connection: close  
7:  Content-Type: text/html;charset=UTF-8  

Using other methods supported by the server we can even get a listing (assuming there is not index file in place). Let's try the GET method.

1:  aichi@home# nc 127.0.0.1 81  
2:  GET / AICHI/6.6.6  
3:  HTTP/1.1 200 OK  
4:  Date: Fri, 22 Mar 2013 04:23:28 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Connection: close  
7:  Content-Type: text/html;charset=UTF-8  
8:  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">  
9:  <html>  
10:   <head>  
11:   <title>Index of /</title>  
12:   </head>  
13:   <body>  
14:  <h1>Index of /</h1>  
15:  <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>  
16:  <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="0fees/">0fees/</a>         </td><td align="right">12-Feb-2013 19:56 </td><td align="right"> - </td><td>&nbsp;</td></tr>  
17:  <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="ForwardElectric%20Backup/">ForwardElectric Backup/</a></td><td align="right">07-May-2012 08:31 </td><td align="right"> - </td><td>&nbsp;</td></tr>  

I supplied an invalid version (aichi/6.6.6) and it still listed the directory contents, and yes, there was no index file. Let's see what it looks like with a blank index file.

1:  aichi@home# nc 127.0.0.1 81  
2:  GET / AICHI/6.6.6  
3:  HTTP/1.1 200 OK  
4:  Date: Fri, 22 Mar 2013 04:27:39 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Last-Modified: Fri, 22 Mar 2013 04:27:17 GMT  
7:  ETag: "700000006ae2f-0-4d87bded2357a"  
8:  Accept-Ranges: bytes  
9:  Content-Length: 0  
10:  Connection: close  
11:  Content-Type: text/html  

Sooo.. something like...

1:  aichi@home# nc 127.0.0.1 81  
2:  TRACE / HTTP/1.1  
3:  host:localhost  
4:  X-Header: <script>alert(1)</script>  
5:  HTTP/1.1 200 OK  
6:  Date: Fri, 22 Mar 2013 04:31:48 GMT  
7:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
8:  Transfer-Encoding: chunked  
9:  Content-Type: message/http  
10:  4a  
11:  TRACE / HTTP/1.1  
12:  host: localhost  
13:  X-Header: <script>alert(1)</script>  
14:  0